Harald Barth | 10 Aug 14:47 2011
Picon
Picon

Re: Heimdal in Lion


FYI: Apple has closed ticket numer 8813134 which is the "original"
Bug-ID, the one the ssh bug was marked a duplicate of. As someone else
is the submitter of 8813134, it is not revealed if "closed" means "an
update will be shipped" or "we don't give a s***". To my knowledge
there has not been shipped any update yet, so for the users the bug is
still unsolved (open).

Harald.

Jelmer Vernooij | 4 Aug 03:03 2011
Picon

[PATCH] Remove more krb4 references from automake files.

From: Jelmer Vernooij <jelmer <at> samba.org>

---
 appl/afsutil/Makefile.am    |    3 --
 appl/ftp/common/Makefile.am |    4 +--
 appl/ftp/ftpd/Makefile.am   |    4 +--
 appl/rcp/Makefile.am        |    2 -
 appl/su/Makefile.am         |    2 +-
 cf/crypto.m4                |   52 -------------------------------------------
 kcm/Makefile.am             |    3 +-
 kdc/Makefile.am             |    9 +++----
 lib/gssapi/Makefile.am      |    3 +-
 lib/krb5/Makefile.am        |    2 +-
 lib/libedit/aclocal.m4      |   32 +++++++++++++++++++++-----
 lib/libedit/ltmain.sh       |   40 +++++++++++++++++++--------------
 12 files changed, 59 insertions(+), 97 deletions(-)

diff --git a/appl/afsutil/Makefile.am b/appl/afsutil/Makefile.am
index c0ca0d5..705bdf1 100644
--- a/appl/afsutil/Makefile.am
+++ b/appl/afsutil/Makefile.am
 <at>  <at>  -2,8 +2,6  <at>  <at> 

 include $(top_srcdir)/Makefile.am.common

-AM_CPPFLAGS += $(INCLUDE_krb4)
-
 bin_PROGRAMS = afslog pagsh

 afslog_SOURCES = afslog.c
(Continue reading)

Harald Barth | 3 Aug 18:30 2011
Picon
Picon

iprop: Propagating a single create message _again_


As one of my KDC slaves has missed an iprop principal create message I
want to trigger the resending of this iprop message. The iprop log
file on the slaves does _not_ contain the create message, so a log
replay does not help. Modifying the principal does not help as the
modify message does not seem to contain enough to create the principal
on the slave.

If replaying a single old create is not possible, can I force a replay
of _everything_ from the master to the slave? Is there a save way to
do this, preferably with short or no interruption to the KDC itself?

Harald.

Ethan Tira-Thompson | 30 Jul 00:21 2011
Picon

encryption type configuration

Hi, I’ve recently updated to Heimdal 1.4.1apple1 (i.e. Mac OS X Lion), and whenever I try to use kinit I get:
	$ kinit
	kinit: krb5_get_init_creds: KDC has no support for encryption type

My /Library/Preferences/edu.mit.Kerberos contains:
allow_weak_crypto = true
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc

among other settings
(http://www.cmu.edu/computing/doc/contributed/proj-osx/config/10.4/edu.mit.Kerberos - I
added the allow_weak_crypto)

The weird thing is if I explicitly specify des-cbc-crc on the command line it works fine:
	kinit -e des-cbc-crc #works fine

So why is it only working when I specify encryption type on the command line, and not already reading this
from the config file (it’s getting my default_realm and other server settings from the file, so I know
it's reading it…?)

Thanks,
  -Ethan

Andreas Haupt | 26 Jul 11:35 2011
Picon

PKINIT with Ubuntu 11.04

Hi,

does anyone know how to get PKINIT with globus proxy certificates
working with Heimdal 1.4.99 (packaged with Ubuntu 11.04)? With a
self-compiled 1.2.1 it works on that system:

[znpnb195] ~ % /tmp/heimdal/bin/kinit --version
kinit (Heimdal 1.2.1)
Copyright 1995-2008 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs <at> h5l.org
[znpnb195] ~ % /tmp/heimdal/bin/kinit -C FILE:$X509_USER_PROXY -D DIR:$X509_CERT_DIR ahaupt <at> NAF.DESY.DE
[znpnb195] ~ % klist
Credentials cache: FILE:/tmp/tmp.mjlFZuGILM
        Principal: ahaupt <at> NAF.DESY.DE

  Issued           Expires          Principal
Jul 26 11:30:50  Jul 27 12:30:50  krbtgt/NAF.DESY.DE <at> NAF.DESY.DE

With the packaged version I get this error:

[znpnb195] ~ % kinit --version
kinit (Heimdal 1.4.99)
Copyright 1995-2010 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs <at> h5l.org
[znpnb195] ~ % kinit -C FILE:$X509_USER_PROXY -D DIR:$X509_CERT_DIR ahaupt <at> NAF.DESY.DE
kinit: krb5_get_init_creds: Create CMS signedData: RSA private encrypt failed: 569888

Anything that needs to be done additionally now? The client seems to get
stuck already at the initialization - it doesn't even contact the KDC.

(Continue reading)

Stefan (metze) Metzmacher | 26 Jul 02:18 2011
Picon

Some more patches from lorikeet-heimdal

Hi Love,

what do you think about this patches.

metze
From f9913570f0c424015c4270ace1c4f6a47a3f361f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze <at> samba.org>
Date: Sun, 24 Jul 2011 20:55:36 +0200
Subject: [PATCH 1/5] kdc: only pass HDB_F_CANON if the client specified b->kdc_options.canonicalize

metze
---
 kdc/krb5tgs.c |   10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index b0d5455..85b0be0 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
 <at>  <at>  -1508,6 +1508,7  <at>  <at>  tgs_build_reply(krb5_context context,

     Key *tkey_check;
     Key *tkey_sign;
+    int flags = 0;

     memset(&sessionkey, 0, sizeof(sessionkey));
     memset(&adtkt, 0, sizeof(adtkt));
 <at>  <at>  -1517,6 +1518,9  <at>  <at>  tgs_build_reply(krb5_context context,
(Continue reading)

Harald Barth | 25 Jul 15:06 2011
Picon
Picon

Re: Heimdal in Lion


The broken ssh in Lion has been assigned Bug ID# 9743343 (amongst
other duplicates). If there is anyone with information on progress on
this, I would be pleased to know. Otherwise I have to prepare a
workaround (in effect shipping a replacement ssh to these users which
want to use our services from OSX Lion), make the support web pages
etc etc. All resulting in more "Kerberos does not work, why are you
using that s***" talk which I really don't need.

Harald.

PS: Since release (5 days) we have 2 uses which have fallen for the
"over 250 new features of OSX Lion" and no longer can log in to our
computers.

doug quaid | 25 Jul 09:38 2011
Picon

Disable password change for users via kadmind.acl or other


Hi,
Is it possible to prevent all users from changing their password via kadmin? I am using Heimdal1.2 As far
as I can tell there is no way to do so. I run kadmin as a user,  the 'privileges' command says "none" and 'get'
fails, but I am able to issue the 'passwd' command.I have tried adding joe   get joe to kadmind.acl
with the expectation that joe would only have 'get' privileges but this still does not prevent joe from
changing joe's password.
Is there another way ? 
Thanks 		 	   		   		 	   		  

Stefan (metze) Metzmacher | 24 Jul 17:37 2011
Picon

lib/krb5: Allow any kvno to match when searching the keytab.

Hi Love,

is this patch acceptable for you?

metze
Stefan (metze) Metzmacher | 24 Jul 17:34 2011
Picon

kdc: fix comparision between krb5int32 (int) and unsigned int

Hi Love,

I noticed a regression with this comit:

commit f5f9014c90cdf795867ad336803caf802bac7fed
Author: Love Hornquist Astrand <lha <at> h5l.org>
Date:   Fri Apr 29 20:25:05 2011 -0700

    Warning fixes from Christos Zoulas

    - shadowed variables
    - signed/unsigned confusion
    - const lossage
    - incomplete structure initializations
    - unused code
---
 kdc/krb5tgs.c |   15 ++++++++-------
 1 files changed, 8 insertions(+), 7 deletions(-)

Casting (int) to (size_t) is wrong.

metze
Stefan (metze) Metzmacher | 24 Jul 17:29 2011
Picon

Set improved enctypes parameter defaults to better match the RFC.

Hi,

is commit f93a56f931e91c7b8eeec83b94015604bbc898f1 of heimdal really
correct?

In Samba we needed to set c->use_strongest_server_key = TRUE in order to get
the same behavior as with heimdal 1.4.

metze


Gmane